MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains a heuristic firing for an external URI pointing to a suspicious domain, which is also listed as an IOC. The ML classifier and ClamAV detection strongly indicate maliciousness. The document body, though heavily obfuscated, contains text that appears to be a lure related to a career center, suggesting a phishing attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffset.ru/strik?utm_term=hamilton+career+center+seneca+sc
- https://cdn-cms.f-static.net/uploads/4368265/normal_5f930e5188188.pdf
- https://cdn-cms.f-static.net/uploads/4381098/normal_5f90d29f45c38.pdf
- https://medizagokitoni.weebly.com/uploads/1/3/2/3/132303310/7904096.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://static1.squarespace.com/static/5fc28a8460f2895dc1f24b3d/t/5fc8f59e2197e711ef7ef5f1/1607005600973/5307163110.pdf
- https://uploads.strikinglycdn.com/files/2940d4cf-6430-4e52-8165-9b26d5a76948/13583794309.pdf
- https://static1.squarespace.com/static/5fc78dfd03f04e270fe5326a/t/5fcf11833fa051062b3f8884/1607405956148/kunujinabujituwan.pdf
- https://s3.amazonaws.com/muwemivumazulax/psl_live_stream.pdf
- https://static1.squarespace.com/static/5fc0c3d560f2895dc1e72903/t/5fc15d64a97599144e2a8146/1606507876788/turn_pool_table_into_dining_table.pdf
- https://uploads.strikinglycdn.com/files/a82dbc42-9092-4edf-a734-721cde6919b6/dudunozamoloxomi.pdf
- https://static1.squarespace.com/static/5fc509f16b97992eb5765355/t/5fca09c641142a3c4b449de1/1607076295438/my_new_baby_twins_game.pdf
- https://static1.squarespace.com/static/5fc6e81bb2e29c7ba990a9c5/t/5fcc35145d2e6f3bda2f246a/1607218452874/18399213516.pdf
- https://uploads.strikinglycdn.com/files/50e2e243-8c64-41ac-b8ad-2c527ef4bf0d/mizof.pdf
- https://uploads.strikinglycdn.com/files/7f982e4c-b7b2-4e0a-9d2c-87b4d0b4a198/sven_og_hans_uendelige_mange_lektier.pdf
- https://static1.squarespace.com/static/5fc0e627116eb00e3c4beed8/t/5fc12e5908845d0924b50a0f/1606495833386/davenisugimitudosa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b70a.bindb7599518714ffd673dffa5ac58983c1e43c12ece41ce7aec5f409507ae3c0d9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB70A | 4908 bytes |
font_01_sfnt_off0000c79c.bine8dc8a8f8052ec39b06444e3d5ff86385313bc4b524bba757bf120a4dd8017a8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC79C | 10584 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.